Lawmakers want hacking answers

Senator says reports of breach conflict

Nov. 9, 2012

S.C. Department of Revenue Director, James Etter, answers questions by the S.C. Senate Finance Committee concerning the breach that lead to 6.3. million social security numbers being stolen last week. The meeting takes place in the Gressette Building on the S.C. State House grounds. / C. Aluka Berry/caberry@thestate.com

Written by

Staff writer

COLUMBIA — An Upstate senator who will lead a panel investigating the massive data breach at the Department of Revenue says he wants to learn how the hacking happened but doesn’t believe lawmakers should throw money at the problem without first asking a lot of questions.

A week after hearing Revenue Department officials answer questions about the breach, Senate Finance Committee Chairman Hugh Leatherman appointed two Upstate senators, Sen. Kevin Bryant of Anderson and Sen. Billy O’Dell of Ware Shoals, to head a special subcommittee to investigate the hacking and discover what can be done to further protect the state’s computer systems and the information in them.

“We will not play the blame game or compromise any criminal investigation,” Leatherman said in a statement.

“We want to provide an open and transparent inquiry to find out what happened, make sure it is being corrected and, above all, ensure that everything possible is being done to protect individual and corporate taxpayers from a colossal failure that was not their fault.”

The breach, believed to have happened in September, exposed 3.6 million Social Security numbers, 387,000 mostly encrypted credit and debit card numbers, information for as many as 657,000 businesses and information on checks used to pay taxes.

In response, Gov. Nikki Haley ordered her inspector general to conduct a review of all agencies’ computer security and she negotiated credit monitoring services for South Carolina taxpayers and businesses. A criminal investigation led by the U.S. Secret Service, which informed the state of the breach on Oct. 10, is ongoing.

Haley told GreenvilleOnline.com on Thursday that she wants to bring in a private consulting firm to help the state develop a cyber security plan for all of state government. She said she expects there to be additional costs as the plan goes forward and supports whatever spending is necessary to achieve those results.

Bryant told GreenvilleOnline.com that legislators should closely examine any spending on the issue. He cited the spending of more than $100 million for a state accounting and business information system as an example of a lack of oversight on technology expenditures.

(Page 2 of 2)

“I think the Legislature needs to micromanage this, probably more than we have in the past, when it comes to spending money on technology,” he said. “Because you never know what you are getting.”

Bryant said the panel will take the criminal investigation into consideration but won’t wait for that to finish before beginning hearings.

“There’s conflicting information out there,” Bryant said about the breach. “Our final goal is to protect the taxpayer. And we need to do that by getting them an accurate story and then what is our obligation in the future.”

The Senate Finance Committee last week held a public hearing to question agency officials about the breach but Bryant said “most members have more questions now than before that meeting.”

Leatherman agreed.

“I don’t think any senator was satisfied with the answers we got,” Leatherman said.

“More questions were raised than answers were provided. (Revenue Director Jim) Etter first told us he did not know if private information of companies was stolen. When members pressed him, however, and after he checked with his staff, he admitted that corporations with state identification numbers had been breached.”

Bryant said he wants to know why South Carolina was hacked. He said he suspects the Revenue Department was attacked because it was the easiest state agency to breach, though Haley has described the hacker as sophisticated and said the agency couldn’t have avoided the intrusion from what she knows.

“You’ll hear this can happen to any agency,” Bryant said. “A lion gets the slowest zebra in the pack. And a hacker is going to go to the easiest target. I think what we’re finding out is that, yes, this can happen in any state and, yes, any organization is susceptible. But if you are the easiest one to get into, that’s where they are going to go.”

Bryant said the subcommittee will first meet the week after Thanksgiving and will start with testimony from some cyber security experts on the basics.